Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1388
Views
10
Helpful
16
Replies

ISE Patching

Go to solution
benolyndav
Level 4
Level 4

‎08-20-2025 07:57 AM

Hi

Would an expired ISE  system certificate cause an ISE deployment patch to fail ??

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to benolyndav

‎08-26-2025 10:50 AM

Hi @benolyndav ,

 PPAN replication status is Not Applicable, because the PPAN is the Publisher (responsible for the replication), the other Nodes are the Subscribers:

ise/admin# show tech-support
 ...
 NAME             PERSONA   ROLE       ACTIVE  REPLICATION
 ---------------  -------   ---------- ------  ---------------
 ...
 <Node Hostname>  PAN       PRIMARY    NONE    Not Applicable
 ...

 

You can also check that in the GUI ... at Administration > System > Deployment > mouse on the Node Status bullseye:

for PPAN (Publisher) ... Message Count:

PPAN Deployment Status.png

 

for the Other Nodes (Subscribers) ... Sync Status:

PMnT Deployment Status.png

 

Hope this helps !!!

 

View solution in original post

16 Replies 16

Go to solution
Enes Simnica
Level 5
Level 5

‎08-20-2025 08:01 AM

gDay @benolyndav and no, an expired ISE system certificate won’t block a patch installation, but it can affect services like admin login, RADIUS/EAP, or HTTPS access, so it’s best to renew before patching........

-Enes

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

Go to solution
benolyndav
Level 4
Level 4
In response to Enes Simnica

‎08-20-2025 08:09 AM

Hi @Enes Simnica 
Thanks for that, would you suggest exporting certs before patching ? I do this before the upgrade but not sure whether  its required for patching.
Thanks

0 Helpful

Go to solution
Enes Simnica
Level 5
Level 5
In response to benolyndav

‎08-20-2025 08:12 AM

u r absolutely welcome @benolyndav. About ur quesiton; exporting certs isn’t required for patching, but it’s a good practice to back them up (along with the config) just like u do before an upgrade, for recovery if anything goes wrong.... U know just so u can sleep good LOOOL... 

hope it helps!

 

-Enes

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

Go to solution
benolyndav
Level 4
Level 4
In response to Enes Simnica

‎08-20-2025 08:25 AM

@Enes Simnica 
I tried an export from cli and got the below message, any idea why I've done this before successfully. ??

Export Operation Failed. ISE CA keys are not in the trust store, check ISE node role or whether CA certificate is revoked/deleted

Thanks

0 Helpful

Go to solution
Enes Simnica
Level 5
Level 5
In response to benolyndav

‎08-20-2025 08:30 AM

@benolyndav That usually means the ISE node u’re exporting from isn’t the Primary Administration Node (PAN) or that the certificate authority keys were removed/revoked. Try the export from the PAN, and check under Administration - System - Certificates - Certificate Authority to confirm the CA keys are present and valid. Which means that if the keys are missing, u’ll need to re-import or regenerate them before export will work...

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

Go to solution
benolyndav
Level 4
Level 4
In response to Enes Simnica

‎08-20-2025 09:04 AM

@Enes Simnica 
I have just ran a tech-support and under deployment it states that the SEC PAN is actually ACTIVE and the PRI PAN STANDBY, you were right any ideas why this would happen they are both online.??

Thanks

0 Helpful

Go to solution
Enes Simnica
Level 5
Level 5
In response to benolyndav

‎08-20-2025 09:16 AM

@benolyndav That can happen if the primary PAN lost communication with the rest of the deployment or a manual role swap occurred. Only one PAN can be active at a time, so if the secondary shows as active it has taken over. And my Cisco friend, i would suggest to check synchronization status, NTP alignment, and network connectivity between the PANs. So, if the primary is healthy, u can manually promote it back to active....

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

Go to solution
benolyndav
Level 4
Level 4
In response to Enes Simnica

‎08-20-2025 09:35 AM - edited ‎08-20-2025 09:57 AM

@Enes Simnica 

Strange thing is though under the Deployment in the GUI the Secondary promote button is still highlighted and ready to press, and also I am not sure how to promote the PRI PAN back to Active there is no button for that.??
What I mean is when I log into ISE I'm still logging into the PRI PAN GUI, but show tech-support says the SEC PAN is ACTIVE
and also the CERT export didn't work from the PRI PAN but did from the SEC PAN ??

 

Thanks

0 Helpful

Go to solution
Enes Simnica
Level 5
Level 5
In response to benolyndav

‎08-20-2025 10:03 AM

@benolyndav alright I see. As I can remember from my last project, In ise only the secondary pan ever shows the Promote to Primary, button in the gui, which is whats expected. So the primary pan wont show a promote option cause its already designated as primary by role, even if its currently in standby... So let me use some bulletpoints to explain what is happening in ur case:

 

  • The Secondary PAN is currently Active (running the admin services).
  • The Primary PAN is in Standby (healthy, but not running admin services)

and to the primary pan back to active, u need to : 

 

  1. Make sure both nodes are synced with the well known show application status ise on both, and check Administration > System > Deployment > all services should show green).
  2. From the GUI, click Promote to Primary on the Secondary. This will flip the roles, the Secondary becomes Standby and the Primary becomes Active again.
  3. If the GUI button fails, you can do it via CLI: application config ise

and also before promoting, please please confirm ntp and replication status, because if the primary is out of sync, forcing it Active can cause database issues. And check this link also: Setting Up Cisco ISE in a Distributed Environment  [Cisco Identity Services Engine] - Cisco Systems

hope it wasnt a looong answer, and hope it helps

 

-Enes

 

 

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

Go to solution
benolyndav
Level 4
Level 4
In response to Enes Simnica

‎08-26-2025 01:09 AM

@Enes Simnica 
So I tried this but it promoted the Secondary to PRI PAN as when I browsed to the SEC PANs address it was now the PRI PAN very weird do you think its a bug ??

P.S apologies for the late response

0 Helpful

Go to solution
Enes Simnica
Level 5
Level 5
In response to benolyndav

‎08-26-2025 04:53 AM

@benolyndav We good man. And actually, that’s actually expected, when you hit Promote to Primary on the Secondary, it flips roles, so the Secondary becomes the new Primary PAN. Not a bug. So u good!

hope it helped and stay EXPERT!

-Enes

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

Go to solution
benolyndav
Level 4
Level 4
In response to Enes Simnica

‎08-26-2025 08:43 AM

@Enes Simnica  but when I try to export the certs via cli I get this message (Export Operation Failed. ISE CA keys are not in the trust store, check ISE node role or whether CA certificate is revoked/deleted) any idea why at all  I ran a tech-support and it looks like the correct PAN is the PRI, I do see something I'm not too sure about its the (Not Applicable) any idea on that also


DC-STH-ISE-01 PAN,MNT SECONDARY ACTIVE SYNC COMPLETED
DC-NTH-ISE-01 PAN,MNT PRIMARY STANDBY Not Applicable


0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to benolyndav

‎08-26-2025 05:18 AM - edited ‎08-26-2025 05:19 AM

Hi @benolyndav ,

 in an ISE Cluster you can have only 2 PANs, Primary and Secondary.

 Whenever you hit the Promote to Primary button on the SPAN

SPAN Deployment.png

 

the SPAN becomes the PPAN, and you have to use the "Old SPAN" IP Addr to access the ISE GUI for administration.

 

 

About Certificate ...

You can export via CLI:

ise/admin# application configure ise

 Selection configuration option
 [1]Reset M&T Session Database
 ...
 [7]Export Internal CA Store
 [8]Import Internal CA Store
 ...
 [44]CA Diagnostic Tool
 [0]Exit

 

and via GUI:

at Administration > System > Certificates > Certificate Management > System Certificates:

System Certificates - Export.png

 

at Administration > System > Certificates > Certificate Management > Trusted Certificates:

Trusted Certificates - Export.png

 

 

About your SPAN showing ACTIVE ...

PPAN and SPAN example:

ise/admin# show tech-support
 ...
 NAME             PERSONA   ROLE       ACTIVE  REPLICATION
 ---------------  -------   ---------- ------  ---------------
 <Node Hostname>  PSN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PSN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PSN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PAN       PRIMARY    NONE    Not Applicable
 <Node Hostname>  MNT       SECONDARY  ACTIVE  SYNC COMPLETED
 <Node Hostname>  PSN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PXG       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  MNT       SECONDARY  STANDBY SYNC COMPLETED
 <Node Hostname>  PAN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PXG       SECONDARY  NONE    SYNC COMPLETED
 ...

please take a look if your SPAN is not also a PMnT, the ACTIVE is for the PMnT and not for the SPAN.

 

Hope this helps !!!

 

Go to solution
benolyndav
Level 4
Level 4
In response to Marcelo Morais

‎08-26-2025 08:44 AM

@Marcelo Morais 
Thanks for the info , I see you have the Not Applicable is that how it is then for PRI PAN ??

0 Helpful
Customers Also Viewed These Support Documents